Someone who’s well-versed in social engineering can easily talk their way into your network. In this video, you’ll learn about social engineering principles and what you can look for to protect against these attacks.
<< Previous Video: Watering Hole Attacks Next: Denial of Service >>
Social engineering is a very low tech form of a security attack. In fact, that doesn’t involve any technology at all. It involves someone else who’s trying to gain access by using social engineering techniques.
You never know exactly what the bad guys are going to come up with next. They’re always using different stories and different ideas to try to gain information from you, using these social engineering techniques.
Social engineering may involve one person trying to gain access or it maybe multiple people in multiple organizations acting simultaneously. They’re all coordinating their efforts and hoping that you’ll drop your shield and allow them access to anything that they might need.
This might be done in person, over the phone. It might be somebody who’s sending you an email electronically. Sometimes it’s somebody who’s being very aggressive on the phone and putting you in a very difficult situation. This is where social engineering becomes very unique.
Another example of social engineering that you might not be expecting, are the bad guys taking advantage of the situations where there might be a funeral and sending funeral notifications to people that are inside of your company. These are ways that the bad guys are using to try to gain access without us even realizing that it’s happening.
There are a number of principals associated with social engineering. The first thing one we’ll talk about is authority. A social engineer is the person who’s trying to gain access so they’re going to pretend that they have some type of authority that allows them access to this information.
They may say that they’re calling from the help desk. That they’re with the police department. They might be with the office of the CEO. And instantly, it might make us think that we need to provide this information to them.
Another principle used in social engineering is intimidation. And it may not be something that is directly focused on you, it may instead be a situation that is intimidating. They might say that bad things will happen if you don’t help. Or it could be something as simple as saying, the payroll checks aren’t going to go out unless I get this information from you.
Another principle that’s commonly used is called consensus. You might also hear this referred to as social proof. They’re using other people and what they’ve done to try to justify what they’re doing. They might tell you that your coworker was able to provide this information last week. They’re not in the office now so it’s something that maybe you could provide for them.
Social engineers also like to have a clock that’s ticking. There needs to be scarcity. This particular situation is only going to be this way for a certain amount of time, we have to be able to resolve this issue before this timer expires.
If the person doing the social engineering can inject some type of urgency, then they can make things move even faster. This needs to happen quickly. Don’t even think about it. Just provide this information right now so that we can solve this problem.
Another technique that they use is one of familiarity. They become your friend. They talk about things that you like, and by doing that, they make you familiar with them on the phone and make you want to do things for them.
And of course, the social engineer is going to try to create trust between you and him. He’s going to try to tell you that he’s going to be able to solve all of your problems. He’s going to be able to fix all of these issues. You just need to trust him and provide the information he’s asking for.
One very frightening example of social engineering happened to Naoki Hiroshima. He has the Twitter user name @N, and as you can imagine, that is a pretty nice username to have. You can read all about this particular event on his medium.com post. This happened because the bad guy talked to PayPal. Did not talk to Mr. Hiroshima, instead, called PayPal and used social engineering to learn what the last four digits of his credit card were.
He then called GoDaddy because that’s where Mr. Hiroshima had all of his websites. And told them he lost his credit card, but he can validate himself with the last four digits. GoDaddy said he also needed to know the first two digits of the card and for some reason, GoDaddy allowed him to guess until he got it right. This obviously was not very good security from GoDaddy’s perspective, but it was very good social engineering from the bad guy.
At that point, the bad guy owned all of Mr Hiroshima’s domains. Had access and control over everything. And then, told him how about we swap? I’ll give you access to your domains again, all you have to do is give me the @N username. And at that point, there was nothing else that he could do. He says, yes, I agree to this swap.
He then went to Twitter and said, this was a problem. This is what happened. This was taken from me illegally. It took about a month, but eventually, Twitter gave him access again to his @N username. You can read all about how I lost my $50,000 Twitter username at his medium.com post.
This is social engineering that involved multiple organizations, but ultimately, the bad guy was able to get exactly what he wanted just by using these social engineering techniques.